Showing papers on "Denial-of-service attack published in 2011"

Denial of Service Attacks in Wireless Networks: The Case of Jammers

Abstract: The shared nature of the medium in wireless networks makes it easy for an adversary to launch a Wireless Denial of Service (WDoS) attack. Recent studies, demonstrate that such attacks can be very easily accomplished using off-the-shelf equipment. To give a simple example, a malicious node can continually transmit a radio signal in order to block any legitimate access to the medium and/or interfere with reception. This act is called jamming and the malicious nodes are referred to as jammers. Jamming techniques vary from simple ones based on the continual transmission of interference signals, to more sophisticated attacks that aim at exploiting vulnerabilities of the particular protocol used. In this survey, we present a detailed up-to-date discussion on the jamming attacks recorded in the literature. We also describe various techniques proposed for detecting the presence of jammers. Finally, we survey numerous mechanisms which attempt to protect the network from jamming attacks. We conclude with a summary and by suggesting future directions.

Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics

Abstract: A low-rate distributed denial of service (DDoS) attack has significant ability of concealing its traffic because it is very much like normal traffic. It has the capacity to elude the current anomaly-based detection schemes. An information metric can quantify the differences of network traffic with various probability distributions. In this paper, we innovatively propose using two new information metrics such as the generalized entropy metric and the information distance metric to detect low-rate DDoS attacks by measuring the difference between legitimate traffic and attack traffic. The proposed generalized entropy metric can detect attacks several hops earlier (three hops earlier while the order α = 10 ) than the traditional Shannon metric. The proposed information distance metric outperforms (six hops earlier while the order α = 10) the popular Kullback-Leibler divergence approach as it can clearly enlarge the adjudication distance and then obtain the optimal detection sensitivity. The experimental results show that the proposed information metrics can effectively detect low-rate DDoS attacks and clearly reduce the false positive rate. Furthermore, the proposed IP traceback algorithm can find all attacks as well as attackers from their own local area networks (LANs) and discard attack traffic.

Detecting malware domains at the upper DNS hierarchy

Abstract: In recent years Internet miscreants have been leveraging the DNS to build malicious network infrastructures for malware command and control. In this paper we propose a novel detection system called Kopis for detecting malware-related domain names. Kopis passively monitors DNS traffic at the upper levels of the DNS hierarchy, and is able to accurately detect malware domains by analyzing global DNS query resolution patterns. Compared to previous DNS reputation systems such as Notos [3] and Exposure [4], which rely on monitoring traffic from local recursive DNS servers, Kopis offers a new vantage point and introduces new traffic features specifically chosen to leverage the global visibility obtained by monitoring network traffic at the upper DNS hierarchy. Unlike previous work Kopis enables DNS operators to independently (i.e., without the need of data from other networks) detect malware domains within their authority, so that action can be taken to stop the abuse. Moreover, unlike previous work, Kopis can detect malware domains even when no IP reputation information is available. We developed a proof-of-concept version of Kopis, and experimented with eight months of real-world data. Our experimental results show that Kopis can achieve high detection rates (e.g., 98.4%) and low false positive rates (e.g., 0.3% or 0.5%). In addition Kopis is able to detect new malware domains days or even weeks before they appear in public blacklists and security forums, and allowed us to discover the rise of a previously unknown DDoS botnet based in China.

Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDS evaluation

Abstract: With the rapid evolution and proliferation of botnets, large-scale cyber attacks such as DDoS, spam emails are also becoming more and more dangerous and serious cyber threats. Because of this, network based security technologies such as Network based Intrusion Detection Systems (NIDSs), Intrusion Prevention Systems (IPSs), firewalls have received remarkable attention to defend our crucial computer systems, networks and sensitive information from attackers on the Internet. In particular, there has been much effort towards high-performance NIDSs based on data mining and machine learning techniques. However, there is a fatal problem in that the existing evaluation dataset, called KDD Cup 99' dataset, cannot reflect current network situations and the latest attack trends. This is because it was generated by simulation over a virtual network more than 10 years ago. To the best of our knowledge, there is no alternative evaluation dataset. In this paper, we present a new evaluation dataset, called Kyoto 2006+, built on the 3 years of real traffic data (Nov. 2006 ~ Aug. 2009) which are obtained from diverse types of honeypots. Kyoto 2006+ dataset will greatly contribute to IDS researchers in obtaining more practical, useful and accurate evaluation results. Furthermore, we provide detailed analysis results of honeypot data and share our experiences so that security researchers are able to get insights into the trends of latest cyber attacks and the Internet situations.

Detecting P2P botnets through network behavior analysis and machine learning

Abstract: Botnets have become one of the major threats on the Internet for serving as a vector for carrying attacks against organizations and committing cybercrimes. They are used to generate spam, carry out DDOS attacks and click-fraud, and steal sensitive information. In this paper, we propose a new approach for characterizing and detecting botnets using network traffic behaviors. Our approach focuses on detecting the bots before they launch their attack. We focus in this paper on detecting P2P bots, which represent the newest and most challenging types of botnets currently available. We study the ability of five different commonly used machine learning techniques to meet online botnet detection requirements, namely adaptability, novelty detection, and early detection. The results of our experimental evaluation based on existing datasets show that it is possible to detect effectively botnets during the botnet Command-and- Control (C&C) phase and before they launch their attacks using traffic behaviors only. However, none of the studied techniques can address all the above requirements at once.

Data preprocessing for anomaly based network intrusion detection : a review

Abstract: Data preprocessing is widely recognized as an important stage in anomaly detection. This paper reviews the data preprocessing techniques used by anomaly-based network intrusion detection systems (NIDS), concentrating on which aspects of the network traffic are analyzed, and what feature construction and selection methods have been used. Motivation for the paper comes from the large impact data preprocessing has on the accuracy and capability of anomaly-based NIDS. The review finds that many NIDS limit their view of network traffic to the TCP/IP packet headers. Time-based statistics can be derived from these headers to detect network scans, network worm behavior, and denial of service attacks. A number of other NIDS perform deeper inspection of request packets to detect attacks against network services and network applications. More recent approaches analyze full service responses to detect attacks targeting clients. The review covers a wide range of NIDS, highlighting which classes of attack are detectable by each of these approaches. Data preprocessing is found to predominantly rely on expert domain knowledge for identifying the most relevant parts of network traffic and for constructing the initial candidate set of traffic features. On the other hand, automated methods have been widely used for feature extraction to reduce data dimensionality, and feature selection to find the most relevant subset of features from this candidate set. The review shows a trend toward deeper packet inspection to construct more relevant features through targeted content parsing. These context sensitive features are required to detect current attacks.

Traceback of DDoS Attacks Using Entropy Variations

Abstract: Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. However, the memoryless feature of the Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. As a result, there is no effective and efficient method to deal with this issue so far. In this paper, we propose a novel traceback method for DDoS attacks that is based on entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking techniques. In comparison to the existing DDoS traceback methods, the proposed strategy possesses a number of advantages - it is memory nonintensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns. The results of extensive experimental and simulation studies are presented to demonstrate the effectiveness and efficiency of the proposed method. Our experiments show that accurate traceback is possible within 20 seconds (approximately) in a large-scale attack network with thousands of zombies.

IP prioritization and scoring system for DDoS detection and mitigation

Abstract: A method and system to mitigate an attack over the Internet includes collecting information related to a plurality of client IP addresses from a plurality of sources and analyzing the collected information to determine confidence scores for the plurality of client IP addresses The method and system also include receiving network traffic from the Internet and limiting network traffic from a first subset of the plurality of client IP addresses characterized by a confidence score less than a first threshold The method, and system further include determining a level of the network traffic and limiting network traffic from a second subset of the plurality of client IP addresses characterized by a confidence score less than a second threshold greater than the first threshold

Jamming games in wireless networks with incomplete information

Abstract: Due to their broadcast nature, wireless networks are highly susceptible to jamming attacks resulting in denial of service. Game theory provides powerful tools to model and analyze such attacks. This article discusses a class of such jamming games played at the MAC layer among a set of transmitters and jammers. The equilibrium strategies resulting from these jamming games characterize the expected performance under DoS attacks and motivate robust network protocol design for secure wireless communications. A key characteristic of distributed wireless access networks is that users do not have complete information regarding the other user's identities, the traffic dynamics, the channel characteristics, or the costs and rewards of other users. Bayesian games are shown to be useful for modeling such uncertainties under different models for the MAC layer. Different wireless network scenarios with single-stage and repeated game formulations are described to illustrate the performance loss of jamming attacks with increasing network uncertainty.

EDoS-Shield - A Two-Steps Mitigation Technique against EDoS Attacks in Cloud Computing

Abstract: Cloud computing is currently one of the most hyped information technology fields and it has become one of the fastest growing segments of IT. Cloud computing allows us to scale our servers in magnitude and availability in order to provide services to a greater number of end users. Moreover, adopters of the cloud service model are charged based on a pay-per-use basis of the cloud's server and network resources, aka utility computing. With this model, a conventional DDoS attack on server and network resources is transformed in a cloud environment to a new breed of attack that targets the cloud adopter's economic resource, namely Economic Denial of Sustainability attack (EDoS). In this paper, we advocate a novel solution, named EDoS-Shield, to mitigate the Economic Denial of Sustainability (EDoS) attack in the cloud computing systems. We design a discrete simulation experiment to evaluate its performance and the results show that it is a promising solution to mitigate the EDoS.

Distributed Cloud Intrusion Detection Model

Abstract: Intrusion prospects in cloud paradigm are many and with high gains, may it be a bad user or a competitor of cloud client. Distributed model makes it vulnerable and prone to sophisticated distributed intrusion attacks like Distributed Denial of Service (DDOS) and Cross Site Scripting (XSS). Confronting new implementation situations, traditional IDSs are not well suited for cloud environment. To handle large scale network access traffic and administrative control of data and application in cloud, a new multi-threaded distributed cloud IDS model has been proposed. Our proposed cloud IDS handles large flow of data packets, analyze them and generate reports efficiently. Transparent reports are instantly send for information of cloud user and expert advice for cloud service provider’s network misconfigurations through a third party IDS monitoring and advisory service.

Toward Network Configuration Randomization for Moving Target Defense

Abstract: This chapter presents a moving target defense architecture called Mutable Networks or MUTE. MUTE enables networks to change their configurations such as IP address and routes randomly and dynamically while preserving the requirements and integrity of network operation. The main goal of MUTE is to hinder the adversary’s capabilities in scanning or discovering network targets, launching DoS attacks and creating botnets structure. This chapter presents the challenges and applications of moving target defense and it also presents a formal approach for creating valid mutation of network configurations.

Techniques for protecting against denial of service attacks near the source

Abstract: Systems and methods protect against denial of service attacks. Remotely originated network traffic addressed to one or more network destinations is routed through one or more locations. One or more of the locations may be geographically proximate to a source of a denial of service attack. One or more denial of service attack mitigation strategies is applied to portions of the network traffic received at the one or more locations. Network traffic not blocked pursuant to the one or more denial of service attack mitigation strategies is dispatched to its intended recipient. Dispatching the unblocked network traffic to its intended recipient may include the use of one or more private channels and/or one or more additional denial of service attack mitigation strategies.

A Learning Automata Based Solution for Preventing Distributed Denial of Service in Internet of Things

Abstract: Internet of Things (IoT) refers to the networked interconnection of everyday objects. IoT is an upcoming research field and is being regarded as the revolution in the world of communication because of its extensible applications in numerous fields. Due to open and self-assimilation nature of these networks they are highly prone to attacks. Because of this reason security is of primary concern here. The security attack can be of various types, the idea here is to prevent IoT networks from Distributed Denial of Service (DDoS) attack. The objective of Denial of Service (DoS) is to make the server resources unavailable to the intended user, and when several such DoS attacks are present in a network then the attack is known as a DDoS attack. Our strategy is to prevent DDoS attack in IoT networks by using Learning Automata (LA) concepts. In this paper, we present a Service Oriented Architecture (SOA) which is used as a system model for IoT here. SOA provides a platform to the developers using which they can develop various applications for IoT without any concern regarding the nature of the objects, thereby acting as a middleware. The DDoS prevention strategy has been targeted for the SOA based architecture for IoT. The simulation results show that the proposed scheme is effective in preventing DDoS attacks in IoT.

Discriminating DDoS attack traffic from flash crowd through packet arrival patterns

Abstract: Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission strategies and various forms of attack packets to beat defense systems. These problems lead to defense systems requiring various detection methods in order to identify attacks. Moreover, DDoS attacks can mix their traffics during flash crowds. By doing this, the complex defense system cannot detect the attack traffic in time. In this paper, we propose a behavior based detection that can discriminate DDoS attack traffic from traffic generated by real users. By using Pearson's correlation coefficient, our comparable detection methods can extract the repeatable features of the packet arrivals. The extensive simulations were tested for the accuracy of detection. We then performed experiments with several datasets and our results affirm that the proposed method can differentiate traffic of an attack source from legitimate traffic with a quick response. We also discuss approaches to improve our proposed methods at the conclusion of this paper.

Evaluating Machine Learning Algorithms for Detecting DDoS Attacks

Abstract: Recently, as the serious damage caused by DDoS attacks increases, the rapid detection of the attack and the proper response mechanisms are urgent. Signature based DDoS detection systems cannot detect new attacks. Current anomaly based detection systems are also unable to detect all kinds of new attacks, because they are designed to restricted applications on limited environments. However, existing security mechanisms do not provide effective defense against these attacks, or the defense capability of some mechanisms is only limited to specific DDoS attacks. It is necessary to analyze the fundamental features of DDoS attacks because these attacks can easily vary the used port/protocol, or operation method. Also lot of research work has been done in detecting the attacks using machine learning techniques. Still what are the relevant features and which technique will be more suitable one for the attack detection is an open question. In this paper, we use the chi-square and Information gain feature selection mechanisms for selecting the important attributes. With the selected attributes, various machine learning models, like Navies Bayes, C4.5, SVM, KNN, K-means and Fuzzy c-means clustering are developed for efficient detection of DDoS attacks. Then our experimental results show that Fuzzy c-means clustering gives better accuracy in identifying the attacks.

System and method for denial of service attack mitigation using cloud services

Abstract: A method to mitigate attack by an upstream service provider using cloud mitigation services. An edge detection device, which located at the subscriber's network edge, is able to communicate information via status messages about attacks to an upstream service provider. The service provider is then able to mitigate attacks based on the status messages. There is a feedback loop whereby the amount of dropped traffic by the service provider is added to the network traffic to keep the mitigation request open and prevent flapping. Likewise, the detection device includes time-to-engage and time-to-disengage timers to further prevent flapping.

CBF: A Packet Filtering Method for DDoS Attack Defense in Cloud Environment

Abstract: Distributed Denial-of-Service attack (DDoS) is a major threat for cloud environment. Traditional defending approaches cannot be easily applied in cloud security due to their relatively low efficiency, large storage, to name a few. In view of this challenge, a Confidence-Based Filtering method, named CBF, is investigated for cloud computing environment, in this paper. Concretely speaking, the method is deployed by two periods, i.e., non-attack period and attack period. More specially, legitimate packets are collected at non-attack period, for extracting attribute pairs to generate a nominal profile. With the nominal profile, the CBF method is promoted by calculating the score of a particular packet at attack period, to determine whether to discard it or not. At last, extensive simulations are conducted to evaluate the feasibility of the CBF method. The result shows that CBF has a high scoring speed, a small storage requirement and an acceptable filtering accuracy, making it suitable for real-time filtering in cloud environment.

A Recent Survey on DDoS Attacks and Defense Mechanisms

Abstract: Distributed Denial-of-service (DDoS) attack is one of the most dangerous threats that could cause devastating effects on the Internet. DDoS mainly started in 1998 but the influence of it was realized by the people only when the big organizations and corporations were hit by DDoS attacks in July 1999. Since then several DDoS attack tools such as Trinoo, Shaft, Tribe flood network (TFN), Tribe flood network 2000 (TFN2K) and Stacheldraht are identified and analyzed. All these tools could launch DDoS attacks from thousands of compromised host and take down virtually any connection, any network on the Internet by just a few command keystrokes. This survey paper deals with the introduction of DDoS attacks, DDoS attack history and incidents, DDoS attack strategy, DDoS attack tools, and classification of various attack and defense mechanisms. Finally, direction for future research work has been pointed out.

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Abstract: Distributed denial of service (DDoS) attacks are serious threats for availability of the internet services. These types of attacks command multiple agents to send a great number of packets to a victim and thus can easily exhaust the resources of the victim. In this paper we propose an anomaly-based DDoS detection method based on the various features of attack packets, obtained from study the incoming network traffic and using of Radial Basis Function (RBF) neural networks to analyze these features. We evaluate the proposed method using our simulated network and UCLA Dataset. The results show that the proposed system can make real-time detection accuracy better than 96% for DDoS attacks.

Mitigating DDoS attacks with transparent and intelligent fast-flux swarm network

Abstract: Distributed denial of service attacks are a great threat to service availability in cloud computing. In recent years, DDoS attacks have increased tremendously in bandwidth and technique. In this article, we propose a novel approach to mitigate DDoS attacks using an intelligent fast-flux swarm network. An intelligent swarm network is required to ensure autonomous coordination and allocation of swarm nodes to perform its relaying operations. We adapted the Intelligent Water Drop algorithm for distributed and parallel optimization. The fast-flux technique was used to maintain connectivity between swarm nodes, clients, and servers. Fast-flux service networks also allow us to build a transparent service, which allows minimal modifications of existing cloud services (e.g. HTTP, SMTP). A software simulation consisting of 400,000 client nodes and 10,000 swarm nodes has shown that we can maintain 99.96 percent packet delivery ratio when the network is under attack from a similarly sized DDoS network of 10,000 dedicated malicious nodes.

A Comparative Study of Distributed Denial of Service Attacks, Intrusion Tolerance and Mitigation Techniques

Abstract: Disruption of service caused by distributed denial of services (DDoS) attacks is an increasing problem in the Internet world. At the present time, to attack the victim's system, the attacker uses sophisticated automated attacking tools for DDoS attack, but earlier it was performed either by manually or by semi automated attacking tools. These attack tools are used to attack various Internet sites. In this paper, we present a literature on classification of available mechanisms for DDoS defense. These defense mechanisms are used to prevent, detect, response and tolerate the DDoS attacks. It is well known that it is very difficult to stop the DDoS attack, therefore, it would be better to maximize the fault tolerance and quality of services under variety of intrusions and attacks. In our analysis, we will discuss the merits and demerits of each mechanism over others. In addition, this paper provides better understanding of the DDoS attack problem and enables a security administrator to cope up against the DDoS threat.

Methods and apparatus for distributed backbone internet DDOS mitigation via transit providers

Abstract: Methods and apparatus for distributed Internet backbone DDOS (distributed denial of service) mitigation via transit providers. A provider network may include a data center and a remote point of presence (RPOP) linked to the data center by private backbone links. The data center may include servers, a traffic analyzer and a routing information generator. The traffic analyzer determines a target address to which a pattern of traffic matching a profile is detected. The routing information generator may generate new routing information for the target address that avoids the use of the backbone, and provide the information to an IP transit provider. The IP transit provider propagates the new routing information to the RPOP, which directs subsequent traffic to the target address over a path that excludes the backbone.

Detecting DDoS attacks with Hadoop

Abstract: Recent distributed denial-of-service (DDoS) attacks have demonstrated horrible destructive power by paralyzing web servers within short time. As the volume of Internet traffic rapidly grows up, the current DDoS detection technologies have met a new challenge that should efficiently deal with a huge amount of traffic within the affordable response time. In this work, we propose a novel DDoS detection method based on Hadoop that implements a HTTP GET flooding detection algorithm in MapReduce on the distributed computing platform.

Guest Editors' Introduction: Software Protection

Abstract: A computer system's security can be compromised in many ways a denial-of-service attack can make a server inoperable, a worm can destroy a user's private data, or an eavesdrop per can reap financial rewards by inserting himself in the communication link between a customer and her bank through a man-in-the-middle (MITM) attack. What all these scenarios have in common is that the adversary is an untrusted entity that attacks a system from the outside-we assume that the computers under attack are operated by benign and trusted users. But if we remove this assumption, if we allow anyone operating a computer system- from system administrators down to ordinary users-to compromise that system's security, we find ourselves in a scenario that has received comparatively little attention. Methods for protecting against MATE attacks are variously known as anti-tamper techniques, digital asset protection, or, more commonly, software protection.

Detecting fraudulent use of cloud resources

Abstract: Initial threat modeling and security research on the public cloud model has primarily focused on the confidentiality and integrity of data transferred, processed, and stored in the cloud. Little attention has been paid to the external threat sources that have the capability to affect the financial viability, hence the long-term availability, of services hosted in the public cloud. Similar to an application-layer DDoS attack, a Fraudulent Resource Consumption (FRC) attack is a much more subtle attack carried out over a longer duration of time. The objective of the attacker is to exploit the utility pricing model which governs the resource usage in the cloud model by fraudulently consuming web content with the purpose of depriving the victim of their long-term economic availability of hosting publicly accessible web content in the cloud. In this paper, we thoroughly describe the FRC attack and discuss why current application-layer DDoS detection schemes are not applicable to a more subtle attack. We propose three detection metrics that together form the criteria for identifying a FRC attack from that of normal web activity. Experimental results based on three plausible attack scenarios show that an attacker without knowledge of the web log has a difficult time mimicking the self-similar and consistent request semantics of normal web activity.